Back to All Checks
Critical CodeBuild Regional

CodeBuild project environment variables should not contain clear text credentials

PCI DSSNISTISO 27001

Description

Checks for the presence of clear text credentials in the environment variables of AWS CodeBuild projects such as AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, PASSWORD, TOKEN. Storing sensitive credentials in plaintext can lead to security vulnerabilities.

Remediation

To remediate this issue, remove any clear text credentials from the environment variables of your CodeBuild projects.

Steps

  1. Open the AWS CodeBuild console at https://console.aws.amazon.com/codebuild/.
  2. Choose the build project you want to modify.
  3. In the project settings, navigate to the 'Environment' section.
  4. Review the environment variables and remove any that contain clear text credentials such as 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'PASSWORD', 'TOKEN'.
  5. Consider using AWS Systems Manager Parameter Store or AWS Secrets Manager to securely store and manage credentials.
  6. Update the project to retrieve credentials from a secure source during the build process.
  7. Save the changes to the project configuration.

Compliance

PCI DSSNISTISO 27001
Start Your Free Security Check